<html>
<META http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<head>
<title>Section 4.5.&nbsp; File Access Permissions</title>
<link rel="STYLESHEET" type="text/css" href="images/style.css">
<link rel="STYLESHEET" type="text/css" href="images/docsafari.css">
</head>
<body>
<table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr><td><div STYLE="MARGIN-LEFT: 0.15in;"><a href="toc.html"><img src="images/team.gif" width="60" height="17" border="0" align="absmiddle"  alt="Team BBL"></a></div></td>
<td align="right"><div STYLE="MARGIN-LEFT: 0.15in;">
<a href=ch04lev1sec4.html><img src="images/prev.gif" width="60" height="17" border="0" align="absmiddle" alt="Previous Page"></a>
<a href=ch04lev1sec6.html><img src="images/next.gif" width="60" height="17" border="0" align="absmiddle" alt="Next Page"></a>
</div></td></tr></table>
<br><table width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td valign="top"><a name="ch04lev1sec5"></a>
<h3 class="docSection1Title">4.5. File Access Permissions</h3>
<p class="docText">The <tt>st_mode</tt> value also encodes the access permission bits for the file. When we say <span class="docEmphasis">file</span>, we mean any of the file types that we described earlier. All the file typesdirectories, character special files, and so onhave permissions. Many people think only of regular files as having access permissions.</P>
<p class="docText">There are nine permission bits for each file, divided into three categories. These are shown in <a class="docLink" href="#ch04fig06">Figure 4.6</a>.</P>
<a name="ch04fig06"></a><p><table cellspacing="0" class="allBorders" border="1" RULES="groups" cellpadding="5"><caption><H5 class="docTableTitle">Figure 4.6. The nine file access permission bits, from <tt>&lt;sys/stat.h&gt;</tt></H5></caption><colgroup><col width="150"><col width="125"></colgroup><thead><TR><th class="rightBorder bottomBorder thead" scope="col" align="center" valign="top"><p class="docText"><span class="docEmphRoman"><tt>st_mode</tt> mask</span></p></th><th class="bottomBorder thead" scope="col" align="center" valign="top"><p class="docText"><span class="docEmphRoman">Meaning</span></P></th></TR></thead><TR><td class="rightBorder" align="center" valign="top"><p class="docText"><tt>S_IRUSR</tt></P></td><TD class="docTableCell" align="left" valign="top"><p class="docText">user-read</P></TD></tr><TR><TD class="rightBorder" align="center" valign="top"><p class="docText"><tt>S_IWUSR</tt></p></TD><TD class="docTableCell" align="left" valign="top"><p class="docText">user-write</p></td></tr><tr><TD class="rightBorder bottomBorder" align="center" valign="top"><p class="docText"><tt>S_IXUSR</tt></p></TD><td class="bottomBorder" align="left" valign="top"><p class="docText">user-execute</P></td></tr><tr><td class="rightBorder" align="center" valign="top"><p class="docText"><tt>S_IRGRP</tt></p></td><td class="docTableCell" align="left" valign="top"><p class="docText">group-read</p></td></tr><tr><td class="rightBorder" align="center" valign="top"><p class="docText"><tt>S_IWGRP</tt></p></td><td class="docTableCell" align="left" valign="top"><p class="docText">group-write</p></td></TR><TR><td class="rightBorder bottomBorder" align="center" valign="top"><p class="docText"><tt>S_IXGRP</tt></P></TD><TD class="bottomBorder" align="left" valign="top"><p class="docText">group-execute</p></TD></TR><TR><td class="rightBorder" align="center" valign="top"><p class="docText"><tt>S_IROTH</tt></P></td><TD class="docTableCell" align="left" valign="top"><p class="docText">other-read</P></TD></tr><TR><TD class="rightBorder" align="center" valign="top"><p class="docText"><tt>S_IWOTH</tt></p></TD><TD class="docTableCell" align="left" valign="top"><p class="docText">other-write</p></td></tr><tr><TD class="rightBorder" align="center" valign="top"><p class="docText"><tt>S_IXOTH</tt></p></TD><td class="docTableCell" align="left" valign="top"><p class="docText">other-execute</P></td></tr></table></p><br>
<p class="docText"><a name="idd1e25433"></a><a name="idd1e25438"></a><a name="idd1e25444"></a><a name="idd1e25449"></a><a name="idd1e25454"></a><a name="idd1e25459"></a><a name="idd1e25464"></a><a name="idd1e25469"></a><a name="idd1e25474"></a><a name="idd1e25479"></a><a name="idd1e25484"></a><a name="idd1e25489"></a>The term <span class="docEmphasis">user</span> in the first three rows in <a class="docLink" href="#ch04fig06">Figure 4.6</a> refers to the owner of the file. The <tt>chmod</tt>(1) command, which is typically used to modify these nine permission bits, allows us to specify <tt>u</tt> for user (owner), <tt>g</tt> for group, and <tt>o</tt> for other. Some books refer to these three as owner, group, and world; this is confusing, as the <tt>chmod</tt> command uses <tt>o</tt> to mean other, not owner. We'll use the terms <span class="docEmphasis">user</span>, <span class="docEmphasis">group</span>, and <span class="docEmphasis">other</span>, to be consistent with the <tt>chmod</tt> command.</p>
<p class="docText">The three categories in <a class="docLink" href="#ch04fig06">Figure 4.6</a>read, write, and executeare used in various ways by different functions. We'll summarize them here, and return to them when we describe the actual functions.</p>
<ul><li><p class="docList">The first rule is that <span class="docEmphasis">whenever</span> we want to open any type of file by name, we must have execute permission in each directory mentioned in the name, including the current directory, if it is implied. This is why the execute permission bit for a directory is often called the search bit.</p><p class="docList">For example, to open the file <tt>/usr/include/stdio.h</tt>, we need execute permission in the directory <tt>/</tt>, execute permission in the directory <tt>/usr</tt>, and execute permission in the directory <tt>/usr/include</tt>. We then need appropriate permission for the file itself, depending on how we're trying to open it: read-only, readwrite, and so on.</p><p class="docList">If the current directory is <tt>/usr/include</tt>, then we need execute permission in the current directory to open the file <tt>stdio.h</tt>. This is an example of the current directory being implied, not specifically mentioned. It is identical to our opening the file <tt>./stdio.h</tt>.</p><p class="docList">Note that read permission for a directory and execute permission for a directory mean different things. Read permission lets us read the directory, obtaining a list of all the filenames in the directory. Execute permission lets us pass through the directory when it is a component of a pathname that we are trying to access. (We need to search the directory to look for a specific filename.)</p><p class="docList">Another example of an implicit directory reference is if the <tt>PATH</tt> environment variable, described in <a class="docLink" href="ch08lev1sec10.html#ch08lev1sec10">Section 8.10</a>, specifies a directory that does not have execute permission enabled. In this case, the shell will never find executable files in that directory.</p></li><li><p class="docList"><a name="idd1e25593"></a><a name="idd1e25598"></a><a name="idd1e25603"></a><a name="idd1e25608"></a><a name="idd1e25613"></a><a name="idd1e25618"></a><a name="idd1e25623"></a><a name="idd1e25628"></a><a name="idd1e25633"></a><a name="idd1e25638"></a><a name="idd1e25643"></a><a name="idd1e25646"></a>The read permission for a file determines whether we can open an existing file for reading: the <tt>O_RDONLY</tt> and <tt>O_RDWR</tt> flags for the <tt>open</tt> function.</p></li><LI><p class="docList">The write permission for a file determines whether we can open an existing file for writing: the <tt>O_WRONLY</tt> and <tt>O_RDWR</tt> flags for the <tt>open</tt> function.</P></li><LI><p class="docList">We must have write permission for a file to specify the <tt>O_TRUNC</tt> flag in the <tt>open</tt> function.</P></LI><li><p class="docList">We cannot create a new file in a directory unless we have write permission and execute permission in the directory.</P></LI><LI><p class="docList">To delete an existing file, we need write permission and execute permission in the directory containing the file. We do not need read permission or write permission for the file itself.</p></LI><li><p class="docList">Execute permission for a file must be on if we want to execute the file using any of the six <tt>exec</tt> functions (<a class="docLink" href="ch08lev1sec10.html#ch08lev1sec10">Section 8.10</a>). The file also has to be a regular file.</P></LI></UL>
<p class="docText">The file access tests that the kernel performs each time a process opens, creates, or deletes a file depend on the owners of the file (<tt>st_uid</tt> and <tt>st_gid</tt>), the effective IDs of the process (effective user ID and effective group ID), and the supplementary group IDs of the process, if supported. The two owner IDs are properties of the file, whereas the two effective IDs and the supplementary group IDs are properties of the process. The tests performed by the kernel are as follows.</p>
<div style="font-weight:bold"><ol class="docList" type="1"><LI><div style="font-weight:normal"><p class="docList">If the effective user ID of the process is 0 (the superuser), access is allowed. This gives the superuser free rein throughout the entire file system.</P></div></li><LI><div style="font-weight:normal"><p class="docList">If the effective user ID of the process equals the owner ID of the file (i.e., the process owns the file), access is allowed if the appropriate user access permission bit is set. Otherwise, permission is denied. By <span class="docEmphasis">appropriate access permission bit</span>, we mean that if the process is opening the file for reading, the user-read bit must be on. If the process is opening the file for writing, the user-write bit must be on. If the process is executing the file, the user-execute bit must be on.</P></div></li><li><div style="font-weight:normal"><p class="docList">If the effective group ID of the process or one of the supplementary group IDs of the process equals the group ID of the file, access is allowed if the appropriate group access permission bit is set. Otherwise, permission is denied.</p></div></li><LI><div style="font-weight:normal"><p class="docList">If the appropriate other access permission bit is set, access is allowed. Otherwise, permission is denied.</p></div></LI></ol></div>
<p class="docText">These four steps are tried in sequence. Note that if the process owns the file (step 2), access is granted or denied based only on the user access permissions; the group permissions are never looked at. Similarly, if the process does not own the file, but belongs to an appropriate group, access is granted or denied based only on the group access permissions; the other permissions are not looked at.</p>

<a href="17021535.html"><img src="images/pixel.gif" alt="" width="1" height="1" border="0"></a><UL></ul></td></tr></table>
<table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr><td><div STYLE="MARGIN-LEFT: 0.15in;"><a href="toc.html"><img src="images/team.gif" width="60" height="17" border="0" align="absmiddle"  alt="Team BBL"></a></div></td>
<td align="right"><div STYLE="MARGIN-LEFT: 0.15in;">
<a href=ch04lev1sec4.html><img src="images/prev.gif" width="60" height="17" border="0" align="absmiddle" alt="Previous Page"></a>
<a href=ch04lev1sec6.html><img src="images/next.gif" width="60" height="17" border="0" align="absmiddle" alt="Next Page"></a>
</div></td></tr></table>
</body></html><br>
<table width="100%" cellspacing="0" cellpadding="0"
style="margin-top: 0pt; border-collapse: collapse;"> 
<tr> <td align="right" style="background-color=white; border-top: 1px solid gray;"> 
<a href="http://www.zipghost.com/" target="_blank" style="font-family: Tahoma, Verdana;
 font-size: 11px; text-decoration: none;">The CHM file was converted to HTM by Trial version of <b>ChmD<!--74-->ecompiler</b>.</a>
</TD>
</TR><tr>
<td align="right" style="background-color=white; "> 
<a href="http://www.etextwizard.com/download/cd/cdsetup.exe" target="_blank" style="font-family: Tahoma, Verdana;
 font-size: 11px; text-decoration: none;">Download <b>ChmDec<!--74-->ompiler</b> at: http://www.zipghost.com</a>
</TD></tr></table>
